Monday, November 24, 2014

SEC Risk Factors: How To Determine The Business Value Of Your Data To A Foreign Government

“Consistent with the Regulation S-K Item 503(c) requirements for risk factor disclosures generally, cybersecurity risk disclosure provided must adequately describe the nature of the material risks and specify how each risk affects the registrant. Registrants should not present risks that could apply to any issuer or any offering and should avoid generic risk factor disclosure.”

- CF DISCLOSURE GUIDANCE: TOPIC NO. 2 “CYBERSECURITY”

EXECUTIVE SUMMARY

The SEC’s Cybersecurity Disclosure Guidance of 2011, President Obama’s Executive Order 13636 on Critical Infrastructure Cybersecurity (2013) and the launch of NIST’s Cybersecurity Framework (2014) has had a major impact on publicly traded companies and financial institutions who are struggling with quantifying their risk analysis in the new domain of cyberspace.

While the SEC has not yet codified its cybersecurity guidance (Corp Fin Disclosure Guidance: Topic No. 2), it has already issued 50 comment letters to public companies that have not adequately complied with the new guidelines. In fact, that appears to be a long-standing complaint of the SEC staff who would “like [registrants] to ... get away from mind-numbing risk factors disclosures to a more targeted discussion.”

Although the SEC’s cybersecurity guidelines aren’t yet regulations, the disclosure of risk factors such as credit and liquidity have been a requirement for many years3 and a mandatory non- generic risk factor analysis of a company’s digital assets cannot be far off. The dilemma that boards and general counsels are facing today is that too much disclosure might hurt the company’s business, while too little disclosure may, at a minimum, result in the company receiving an SEC comment letter.

This white paper will explore where the SEC is headed on this issue and propose a novel solution that’s both specific to the company and avoids the potential danger of revealing too much information about company vulnerabilities - the ability to verifiably assess the value of your intellectual property (IP) to a rival Nation State by establishing its Target Asset Value™.